Fetchmail Buffer Overflow May Allow Remote Users to Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1005273 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Updated: Sep 29 2002
|
Original Entry Date: Sep 24 2002
|
Impact: Execution of arbitrary code via network, Root access via network, User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 6.0.0 and prior versions
|
Description: A buffer overflow vulnerability was reported in fetchmail. A remote user may be able to cause arbitrary code to be executed when fetchmail is operating in multi-drop mode.
It is reported that there are several buffer overflow conditions that can be triggered when fetchmail is running in multi-drop mode.
In
several places, the readheaders() parsing function reportedly copies user-supplied email addresses to fixed size buffers without
checking the size of the email address.
A broken boundary check is reported in the getmxrecord() function. A remote user that
can send a specially crafted DNS packet to the target server can exploit this flaw to cause fetchmail to crash.
A bug is also
reported in the parse_received() function affecting the parsing of user-supplied "Received:" headers. Portions of the "Received:"
header line are copied without validating the size of the copied portion. A remote user can send mail with a specially crafted
"Received:" header line to cause fetchmail to overflow the heap with arbitrary code. This bug allows a remote user to execute arbitrary
code on the system.
The vendor credits Stefan Esser (e-matters) for reporting these flaws. The e-matters security advisory is
available at:
http://security.e-matters.de/advisories/032002.html
|
Impact: A remote user may be able to execute arbitrary code on the system with the privileges of the fetchmail daemon. In some configurations, this may be root privileges.
|
Solution: The vendor has released a fixed version (6.1.0), available at:
http://www.tuxedo.org/~esr/fetchmail/
http://www.tuxedo.org/~esr/fetchmail/fetchmail-6.1.0.tar.gz
http:
//www.tuxedo.org/~esr/fetchmail/fetchmail-6.1.0-1.i386.rpm
http://www.tuxedo.org/~esr/fetchmail/fetchmail-6.1.0-1.src.rpm
|
Vendor URL: www.tuxedo.org/~esr/fetchmail/ (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: mutex@hushmail.com
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Mon, 23 Sep 2002 10:22:17 -0700
From: mutex@hushmail.com
Subject: [Full-Disclosure] (no subject)
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
is there any more information on this "potential" remote vulnerability?
fetchmail-6.1.0 (Sun Sep 22 18:31:23 EDT 2002), 21999 lines:
* Updated French translation.
* Stefan Esser's fix for potential remote vulnerability in multidrop mode.
This is an important security fix!
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com
wloEARECABoFAj2PTckTHG11dGV4QGh1c2htYWlsLmNvbQAKCRBLR9YdGwjQEGCjAJ9j
dQWGysbUyLbds8ov0c7trraFswCfSoAdWbhdWhiLD+QJTYnJBRZpz3Q=
=LBY3
-----END PGP SIGNATURE-----
Get your free encrypted email at https://www.hushmail.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
|
|
